[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BEHAVE] Comments on the NAT66 draft
Hosting this discussion on the behave WG mailing list is certainly not
an attempt to avoid folks in v6ops having feedback on the work, it is
just that behave seems like the right place to work on the actual
specification. With all of the v4v6 translation discussion happening
in behave, I think we've been hoping that the v6 folks will show up in
behave and have this discussion, and do this work, there.
I'm sure that the v6ops chairs are aware of this work -- my co-author
Fred Baker is one of them. If they think that it would be useful to
discuss NAT66 in v6ops, I'd certainly be happy to come to the v6ops
meeting and talk about it.
Personally, though, I'd rather that we discuss this in one forum
(behave) and that interested people bring their thoughts, opinions and
feedback to that forum.
On Nov 5, 2008, at 11:31 AM, Wes Beebee (wbeebee) wrote:
I understand that NAT66 work on the details is being done in the
BEHAVE Working Group - but shouldn't we also include a discussion at
v6ops on whether NAT66 should be standardized? After all, they're
more privy to the discussions that created the Local Network
From: email@example.com [mailto:firstname.lastname@example.org] On
Behalf Of Rémi Després
Sent: Wednesday, November 05, 2008 10:21 AM
To: Margaret Wasserman
Cc: Behave WG
Subject: [BEHAVE] Comments on the NAT66 draft
Sorry for so late an answer (I was too busy preparing my own draft
before the deadline).
Here are my comments, section per section.
Sec. 3 - Motivation)
a. I _FULLY SUPPORT_ that IETF should standardize some ways to keep,
in IPv6, appreciated benefits of NAT44s (and to avoid as much as
possible their drawbacks).
b. In your list of NAT44 appreciated services (i.e. provider
independent addressing, simplified site multihoming, topology
hiding), "host privacy" should IMHO be added. This is the
impossibility, from the outside, to see that several consecutive
connections were initiated by the same host.
c. Concerning multihoming, a more detailed analysis of what NATs do,
and don't do, would be a useful clarification. (In particular, they
are incompatible with multihoming of both Shim6 and SCTP. These the
protocols, to take advantage of multihoming, exchange address
information in payloads, protected by strong checksums.)
Sec. 4 - NAT66 overview
a. Since your proposed mechanism is only based on stateless and
reversible _mappings_, calling it a NAT leads, IMHO, to confusion:
NATs are generally understood, and used, as NAPTs. They do stateful
and non-reversible 1:n _translations_.
b. With a different name than NAT for such a proposal, IETF could
advertise that it _does not endorse NATs in IPv6_. This would IMHO
increase (or restore?) confidence in IPv6. "Mapping" instead of
"translation"would be a logical word in such a name.
Sec. 5 - NAT66 Address Mapping Mechanisms
- Topology hiding is in fact possible without losing reversibility
of the mapping. Cf the comment on 5.1.2.
Sec. 5.1 - Checksum-Neutral Mapping
- IMHO, it would be useful to make it clear in this section (like in
the introduction) that the proposed mapping does not apply to
addresses that are transmitted in payloads. ALGs could be be added
to convert addresses in TCP payloads TCP, as it is done in some
NAT44s. But it cannot be done not in SCTP payloads because of the
stronger checksum algorithm.
Sec. 5.1.1 - Two-way Algorithmic Address Mapping
- The proposed limitation to /48 internal and external prefixes is
stronger than necessary.
- A sufficient limitation is that external prefixes are not longer
than internal ones. (If the external prefix is shorter, a few 0
bits can be added to it, up to the length to the internal one.) For
example a /56 external with a /60 internal should be permitted.
Sec. 5.1.2 - Topology hiding Option
- For outgoing UDP and TCP connections, it is in fact possible to
hide the internal topology without losing reversibility of the
mapping: the algorithmic mapping is, for this, applied jointly to
the subnet identifier AND to port bits (excluding port-bits 0 and 1
that must remain constant in dynamic ports). UDP and TCP checksums
are then incrementally adjusted (like IP checksums).
- In addition to topology hiding, this mechanism provides _host
privacy_ , as defined in the comment on sec. 3 :-) .
Sec 6. - Prefixes for Port Mapping
- I don't see the need for this section in this document. The
mapping applies to internal and external prefixes, independently of
how they can be configured.
Sec 7 - A note on Port Mapping
- Agreed: address amplification should not be needed in IPv6. Agreed
also: some transport layers that encrypt data are incompatible with
port mapping. But this is not sufficient to abandon port mapping all-
over. (See the comment on 5.1.2.)
Sec 8 - Security Considerations
- In TCP, DCCP, SCTP, packets that initiate connection
establishments can be individually recognized (SYN without ack in
the case of TCP). Incoming connections can therefore be blocked
with stateless operation, but this is not the case for UDP (per-
connection stateful operation is needed). Whether blocking UDP
incoming connections is worth it, in global to local IPv6 gateways,
is therefore uncertain (hosts must anyway have their own blocking
of undesirable incoming connections).
- the document introduces IMO a *very useful subject*.
- Before freezing any recommendation, its relationship with other
layers, in particular with other stateless address mappings, should
be further studied.
Margaret Wasserman (1-12/1-31/200x) 10/27/08 7:59 PM:
I have posted a NAT66 draft, so that we can have a better-grounded
discussion of whether it makes sense to include NAT66 as a work
item in the behave charter. The draft can be found at the
Feedback would be greatly appreciated!